• State Verified Answer
  • Replies 4 replies
  • Subscribers 88 subscribers
  • Views 2491 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 203436
Options
Beware that this post is related to an SDK in maintenance mode
More Info: Consider nRF Connect SDK for new designs
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

CRYS_ECDSA_Sign signature encoding?

Dadas

Hello, I am doing some testing with nRF52840 and its CryptoCell 310 and I am trying to produce an ECDSA signature and verify it using mbedTLS.

CC310 Sign & Verify is working great, but how can I convert this signature into another format? For example DER used by mbedTLS.

This is how a mbedTLS ECDSA signature looks like this, we can see the DER header in there:

3045022100B0B64DB18F6E0003FAAF31A4AEEF291B4104532F446FC45C0F074ED82935C7500220226060EDCAA553C605AD1F598CA63FD6172EB3F0BC9AACDCA16EAB7509E215DD

Signature produced by CRYS_ECDSA_Sign looks like this:

ACCDC3BCA844324A7B440C3BB19377BE6C06223BB2E903920CF23AE0B3F0243A2F321E1EE01C9A449AFAC203D398B20D6DA0E2629483127F08C07995DB1F72FF


How is R and S encoded in this signature? Is there any function that can convert it into the DER encoding used in mbedTLS? I am stuck on this one for over a day.. Please help

Thanks in advance

Parents
  • +1

    Turns out I was doing the conversion correctly, after calling CRYS_ECDSA_Sign with the "CRYS_ECPKI_AFTER_HASH_SHA256_mode" hash mode and feeding in its SHA256 hash instead of the message, it worked and MbedTLS has verified it properly. 

    Well, still not sure why it didn' work with "CRYS_ECPKI_HASH_SHA256_mode", but at least I got it working now

  • 0 in reply to Dadas

    Hi Dadas,

    can you please tell me what is the output format of the Sign algorithm/how do yo convert the signature to DER format?

    I am stuck on this as well, and couldn't figure it out from your answer.

    Thanks in advance!

  • 0 in reply to DamianV

    Hello, I ended up using ecdsa_signature_to_asn1 from mbedtls

    CRYS_ECDSA_Sign(&rndCtx,&signtmp,&Priv,HASHMODE,(uint8_t*)hash,hlen,hwsig,&hwsiglen);

    - output is written to the hwsig buffer, first half is the R parameter and second half is the S parameter, so I read these numbers into mbedtls MPI format and then call ecdsa_signature_to_asn1

    mbedtls_mpi r, s;
    mbedtls_mpi_init( &r );
    mbedtls_mpi_init( &s );

    mbedtls_mpi_read_binary(&r,hwsig,keysize);
    mbedtls_mpi_read_binary(&s,hwsig+keysize,keysize);

    ecdsa_signature_to_asn1(&r,&s,sig,slen);

    Hope this helps, have a nice day

Reply
  • 0 in reply to DamianV

    Hello, I ended up using ecdsa_signature_to_asn1 from mbedtls

    CRYS_ECDSA_Sign(&rndCtx,&signtmp,&Priv,HASHMODE,(uint8_t*)hash,hlen,hwsig,&hwsiglen);

    - output is written to the hwsig buffer, first half is the R parameter and second half is the S parameter, so I read these numbers into mbedtls MPI format and then call ecdsa_signature_to_asn1

    mbedtls_mpi r, s;
    mbedtls_mpi_init( &r );
    mbedtls_mpi_init( &s );

    mbedtls_mpi_read_binary(&r,hwsig,keysize);
    mbedtls_mpi_read_binary(&s,hwsig+keysize,keysize);

    ecdsa_signature_to_asn1(&r,&s,sig,slen);

    Hope this helps, have a nice day

Children
Related
Terms of service